Chapter 7: State Data Breach Notification, Data Security, and Data Destruction Laws

Notification: Whom to Notify

Breach laws commonly require notice to three audiences: affected residents (all 50 states), state attorneys general/agencies (about two-thirds), and nationwide consumer reporting agencies (CRAs) (about two-thirds).

Who must be notified
Recipient	How many states
Affected residents	All 50 states
State attorney general / state agency	Approximately two-thirds
Nationwide consumer reporting agencies (CRAs)	Approximately two-thirds

Key terms - quick answers

What is “Consumer reporting agency (CRA)”?

A nationwide credit bureau that some state laws require to be notified of a data breach; CRAs have established email addresses to receive breach reports.

← Breach Laws: Security Breach and Risk-of-Harm Notification: Timing to Affected Parties →